On 2011-01-31, at 15:26, Ted Lemon wrote: > On Jan 31, 2011, at 2:32 PM, Joe Abley wrote: >> It's scrappy, and it's little more than I have said on this list in the past >> week, but I thought it might be handy to have in written form. > > I'm not entirely sure I grokked section 6. It sounds like you're proposing > that we use locally-configured X.509 certs from certificate authorities as > the only mechanism for validating the trust anchor that we retrieve from the > IANA.
The problem I was trying to find a solution for was how an unattended validator with default configuration that nobody is ever going to change, and which might sit on the shelf for a year before it is plugged in, can find a useful trust anchor for the root zone. ICANN has made no promises about the longevity of either the PGP key or the certificate used to generate the S/MIME signature over the root-anchors.xml file, so that's not necessarily the right answer. Using signatures from established X.509 CAs whose policy and practice statements confirm their intention for keys to be long lived seems like a solution that would work, more or less with what is published today, and that's what we wrote up. It also doesn't depend on a single key; if a variety of certificates were available (as opposed to the single certificate from the IANA CA today) there is operational recourse to events such as CA failure/compromise that doesn't involve truck-roll. For some platforms using a SysTrust-accredited CA trust anchor seems like it comes for free, since the operating system vendor already maintains that list as part of its regular software update process. No doubt there are other answers. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
